High Threat Security Alert (A20-04-03): Multiple Vulnerabilities in Microsoft Products (April 2020)

Description:

Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components. The list of security updates can be found at:

https://support.microsoft.com/en-us/help/20200414/security-update-deployment-information-april-14-2020

The April 2020 security updates released by Microsoft addressed multiple remote code execution vulnerabilities that are under active exploitation. The vulnerabilities exist in the Adobe Type Manager Library (CVE-2020-0938 and CVE-2020-1020) as well as the Microsoft Internet Explorer 9 and 11 (CVE-2020-0968). Both Windows and Windows Server are affected. System administrators and end users are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

Affected Systems:

• Microsoft Internet Explorer 9, 11
• Microsoft Edge (EdgeHTML-based)
• Microsoft Windows 7, 8.1, RT 8.1, 10
• Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019
• Microsoft Windows Server, version 1803, version 1903, version 1909
• Microsoft Office 2010, 2013, 2013 RT, 2016, 2016 for Mac, 2019, 2019 for Mac
• Microsoft Office 365 ProPlus
• Microsoft Office Online Server
• Microsoft Office Web Apps 2010, 2013
• Microsoft Excel 2010, 2013, 2013 RT, 2016
• Microsoft PowerPoint 2010, 2013, 2013 RT, 2016
• Microsoft Word 2010, 2013, 2013 RT, 2016
• Microsoft Outlook 2010, 2013, 2013 RT, 2016
• Microsoft Access 2010, 2013, 2016
• Microsoft Project 2010, 2013, 2016
• Microsoft Project Server 2013
• Microsoft SharePoint Foundation 2010, 2013
• Microsoft SharePoint Enterprise Server 2013, 2016
• Microsoft SharePoint Server 2010, 2019
• Microsoft Business Productivity Servers 2010
• Microsoft Dynamics 365 Business Central 2019
• Microsoft Dynamics 365 Server, version 9.0
• Microsoft Dynamics 365 BC On Premise
• Microsoft Dynamics NAV 2013, 2015, 2016, 2017, 2018
• Microsoft Forefront Endpoint Protection 2010
• Microsoft Publisher 2010, 2013, 2016
• Microsoft Research JavaScript Cryptography Library V1.4
• Microsoft Security Essentials
• Microsoft System Center 2012, 2012 R2 Endpoint Protection
• Microsoft Visio 2010, 2013, 2016
• Microsoft Visual Studio 2015, 2017, 2019
• Microsoft OneDrive for Windows
• Microsoft Your Phone Companion App for Android
• Microsoft AutoUpdate for Mac
• Microsoft RMS Sharing for Mac
• Microsoft Remote Desktop for Mac
• Windows Defender
• ChakraCore

Impact:

Depending on the vulnerability exploited, a successful attack could lead to remote code execution, elevation of privilege, denial of service, information disclosure, spoofing and security feature bypass.

Recommendation:

Patches for affected products are available from the Windows Update / Microsoft Update Catalog. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

More Information:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr
https://support.microsoft.com/en-us/help/20200414/security-update-deployment-information-april-14-2020
https://www.hkcert.org/my_url/en/alert/20041501
https://www.us-cert.gov/ncas/current-activity/2020/04/14/microsoft-releases-april-2020-security-updates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0687
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0699
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0760
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0821
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0889
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0895
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0907
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0910
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0913
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0917
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0918
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0919
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0920
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0923 (to CVE-2020-0927)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0929 (to CVE-2020-0940)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0942 (to CVE-2020-0950)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0952 (to CVE-2020-0962)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0964 (to CVE-2020-0985)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0987
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0991 (to CVE-2020-0996)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0999 (to CVE-2020-1009)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1014 (to CVE-2020-1020)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1026
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1029
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1050
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1094